Protect4S VM is capable of checking conditions on the operating system platform layer using the SOAP interface of SAPControl. In order to authenticate a valid operating system user/password combination for the satellite system must be provided to the System connection wizard.

• From Protect4S 6.0 onwards, the Operating system user is no longer required for ABAP type satellite systems. However, it is recommended to use an operating system user when possible.

Some operating system checks rely on the SAPControl OSExecute function, which can only be executed by the <sid>adm user (the standard SAP system owner) or a new user that was cloned from <sid>adm.

If this is allowed by your specific security policy, it is recommended to supply the <sid>adm user/password combination for the SAPControl connection when running the System connection wizard. In practice this means that this combination will be stored in the SAP secure store of the SAP Solution Manager (as all other Protect4S users).

If using <sid>adm is not allowed for some reason, you can use an operating system user other than <sid>adm. For this see our user guide chapter: operating system user other than <sid>adm.

In case of any problems with this user, please check Appendix A: SAPControl connections.

Secure Store in Protect4S system

Should you decide to use the <sid>adm passwords of the satellite systems, please first check if the SAP Secure store of the Protect4S system is properly protected. The secure store key phrase should not set to the default key. This can be checked using SAP transaction SECSTORE:

Transaction SECSTORE default Key warning

In this case, consider implementation of the following SAP OSS Notes:

1902258 - Secure Storage in the Database Key File Tool

1902611 - Potential information disclosure relating to BC-SEC